AuthAnvil 2FA Multi-Site Administration Configuration Guide

This guide will instruct you on how to properly set up proxied users, grouped members, and how to configure Internet Information Services to properly support the addition of strong authentication for multi-site administration with AuthAnvil Two Factor Auth. This in turn empowers you as an AuthAnvil Two Factor Auth administrator to simultaneously revoke administrative rights to all remote sites for any grouped member with a simple click in your AuthAnvil Two Factor Auth Manager, saving you time and money in reactionary administration by going to each client site and deleting that member. This is a very powerful and useful feature.

A few definitions may help to guide you through this implementation guide:

Grouped User: An account in which multiple members may belong. A member must be an AuthAnvil Two Factor Auth user assigned an AuthAnvil Two Factor Auth token.

Proxied User: An account which delegates authentication to another AuthAnvil Two Factor Auth server.

Introduction

One of the biggest difficulties when managing multiple client sites is dealing with the administrative burden of changing passwords when an employee leaves or changes roles in the business. This guide will assist you in configuring proxied delegation for use with Multi-Site Administration. This configuration allows selected group members within AuthAnvil Two Factor Auth to have the ability to log into remote client sites using their own AuthAnvil Two Factor Auth token alongside a single domain or root credential, eliminating the need for multiple hardware tokens to provide strong authentication across sites.

An added benefit of this approach is that it makes it extremely easy and cost effective to revoke such remote access across all client sites simultaneously by simply disabling a user’s token, or removing him from the primary grouped account.

Creating a Grouped User

Grouped Users are unique in that they act like normal users in AuthAnvil Two Factor Auth, but can have different members with different tokens assigned to them.

Step 1 - First open up AuthAnvil Two Factor Auth Manager, and then go to the ‘Users’ tab.

Step 2- Create a ‘Grouped User’ on your own corporate AuthAnvil Two Factor Auth SAS by mousing over the actions menu.

Step 3- Select ‘Add New Grouped User’.

Step 4 - Enter in a username that will match with the administrative name on the remote client systems. Common examples include “Administrator” or “root”. For Windows administration, we recommend that you do not use the default domain administrator and instead use a secondary account named something unique yet common across all client sites. We suggest naming it something like ‘admintech’.

Step 5- Assign members to the ‘Grouped User’ by moving them from the ‘Available Members’ tab to the ‘Current Members’ tab.

Step 6 – Click ‘Save Changes’ to complete the task.

Enabling IPs in IIS

If you have hardened your AuthAnvil Two Factor Auth server you may have reduced the attack surface of the AuthAnvil Two Factor Auth SAS to a limited set of IPs. If so, please follow the steps below to allow for access by the secondary AuthAnvil Two Factor Auth server(s):

Create a Proxied User

In this step we will create a proxied user for the client site. A Proxied User forwards authentication to a different AuthAnvil Two Factor Auth server for validation. This is how members of a Grouped User can manage all the machines remotely.

Step 1 - Open up Anvil Manager on the remote client site where an AuthAnvil Two Factor Auth SAS is also installed. Go to the ‘Users’ tab.

Step 2 - Create a ‘Proxied User’ named the same as the ‘Grouped User’ on your corporate AuthAnvil Two Factor Auth SAS such as ‘admintech’

On client sites where they do not have an AuthAnvil Two Factor Auth server, you can still offer centralized two-factor authentication. Instead of configuring the agents to the local AuthAnvil Two Factor Auth server like in the previous steps, simply configure them to your AuthAnvil Two Factor Auth server at your office. Just remember to configure an override password and/or security group so in the case of net down situations, your staff can still log on.